HTTP will always be open to man-in-the-middle attacks, so if you send your password hashed, the same password could still be sent by a third party impersonating as your user. This is why HTTPS must be used.
You can use a dedicated user to call your webservices, and if you want to use a non-readable password, it is always up to you. Take your word "password", put it through a MD5, SHA - or whatever else you like - generator and set it in Remedy and in the other system as "5f4dcc3b5aa765d61d8327deb882cf99". This way, at least you can pretend it is not clear text. Except for what was already mentioned (HTTPS) don't forget about firewalling to permit access only from specific hosts. Hope it helps. Best regards, Mihai -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of John Baker Sent: Tuesday, November 26, 2013 11:08 PM To: arslist@ARSLIST.ORG Subject: Remedy 7.6.04 Web Services Password encryption Expanding on LJ's response, you may wish to consider SSL client certificates, so users of the service can not connect unless they have a client certificate. Whilst there's probably no way to get the username from within the (very limited) AR System web service implementation, you can at least sleep soundly knowing you know who's connecting to it. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" The information contained in this e-mail message is privileged and confidential and is for the exclusive use of the addressee. The person who receives this message and who is not the addressee, one of his employees or an agent entitled to hand it over to the addressee, is informed that he may not use, disclose or reproduce the contents thereof, and is kindly asked to notify the sender and delete the e-mail immediately. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
